Your browser either does not support JavaScript or you have turned JavaScript off.

Zyxel security advisory for DNSpooq

CVE: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687

Summary

Zyxel will release patches for products affected by the Dnsmasq vulnerabilities reported by CERT/CC. Users are advised to install the applicable firmware updates or follow the best practices for optimal protection.


What is the vulnerability?

Dnsmasq, open-source software that provides DNS forwarding and caching, has two sets of vulnerabilities, as listed below. Dubbed as DNSpooq, these vulnerabilities could allow an attacker to corrupt memory on the target device and perform cache poisoning attacks against the target environment.

  • Memory corruption vulnerabilities due to boundary checking errors in DNSSEC handling code. (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, and CVE-2020-25687)
  • DNS response validation vulnerabilities that can result in DNS cache poisoning. (CVE-2020-25684, CVE-2020-25685, and CVE-2020-25686)

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified products that make use of the Dnsmasq software and confirmed that these products are only affected by the DNS response validation vulnerabilities with medium severity. We’ll include the solution in the affected products’ next regular firmware releases to address the issues, as shown in the table below. For optimal protection, we urge users to install the applicable updates when they become available or follow CERT/CC’s best practices when protecting DNS infrastructure before the firmware updates become available:

  • Protect your DNS clients and DNS client software using stateful-inspection firewall that can provide application security.
  • Provide secure DNS recursion service with features such as DNSSEC validation and the interim 0x20-bit encoding as part of enterprise DNS services where applicable.
  • Prevent exposure of IoT devices and lightweight devices directly over the Internet to minimize abuse of DNS.
  • Regularly update software and embedded firmware to the latest available version and the recommended secure configuration suitable for your operations environment (e.g., disable caching if not needed or provided by an upstream server).

Please note that the table does NOT include customized models for internet service providers (ISPs). For ISP customers, please contact your Zyxel representative for further details. For end-users who received your Zyxel device from an ISP, we recommend you reach out to the ISP support team directly, as the device may have custom-built settings.

For end-users who purchased the Zyxel devices on your own, please contact your local Zyxel support team or visit our forum if you require further assistance.

Affected series/models Patch available in
CPE
AX7501-B0 V5.15(ABPC.1)C0 in June 2021
DX5510-B0 V5.17(ABVV.1)C0 in Dec 2021
EMG3525-T50B V5.50(ABPM.6)C0 in June 2021
EMG5523-T50B V5.50(ABPM.6)C0 in June 2021
EMG5723-T50K V5.50(ABOM.7)C0 in June 2021
EMG6726-B10A V5.13(ABNP.7)C0 in Dec 2021
EX3510-B0 V5.17(ABUP.4)C0 in Dec 2021
EX5501-B0 V5.15(ABRY.2)C0 in June 2021
EX5510-B0 V5.17(ABQX.4)C0 in Dec 2021
VMG1312-T20B V5.50(ABSB.5)C0 in June 2021
VMG3625-T50B V5.50(ABPM.6)C0 in June 2021
VMG3927-B50A_B60A V5.15(ABMT.7)C0 in June 2021
VMG3927-B50B V5.13(ABLY.7)C0 in Dec 2021
VMG3927-T50K V5.50(ABOM.7)C0 in June 2021
VMG4005-B50B V5.13(ABRL.5)C0 in Dec 2021
VMG4927-B50A V5.13(ABLY.7)C0 in Dec 2021
VMG8623-T50B V5.50(ABPM.6)C0 in June 2021
VMG8825-B50A_B60A V5.15(ABMT.7)C0 in June 2021
VMG8825-Bx0B V5.15(ABNY.7)C0 in June 2021
VMG8825-T50K V5.50(ABOM.7)C0 in June 2021
XMG3927-B50A V5.15(ABMT.7)C0 in June 2021
XMG8825-B50A V5.15(ABMT.7)C0 in June 2021
ONT
PMG2005-T20D V1.00(ABWX.1)C0 in Q2 2021
PMG5317-T20B V5.40(ABKI.4)C0 in Q2 2021
PMG5617GA V5.40(ABNA.2)C0 in Q2 2021
PMG5622GA V5.40(ABNB.2)C0 in Q2 2021
LTE
LTE1566 V1.00(ABUD.3)C0 in Dec 2021
LTE2566 V1.00(ABTW.3)C0 in Dec 2021
LTE3202 V1.00(ABVM.3)C0 in Dec 2021
LTE3301 V1.00(ABLG.5)C0 in Dec 2021
LTE3301Plus V1.00(ABQU4)C0 in Sep 2021
LTE3302 V1.00(ABLM.5)C0 in Dec 2021
LTE3316 V1.00(ABMP.5)C0 in Dec 2021
LTE3316v2 V2.00(ABMP.5)C0 in Dec 2021
LTE5366 V1.00(ABKA.2)C0 in Dec 2021
LTE7240 V2.00(ABMG.4)C0 in Dec 2021
LTE7460 V1.00(ABFR.6)C0 in Dec 2021
LTE7461 V2.00(ABQN.3)C0 in Sep 2021
LTE7480 V1.00(ABRA.3)C0 in Sep 2021
LTE7485 V1.00(ABVN.4)C0 in Sep 2021
LTE7490 V1.00(ABQY.3)C0 in Sep 2021
WAH7601 V1.00(ABRH.3)C0 in Dec 2021
WAH7608 V1.00(ABKW.2)C0 in Dec 2021
WAH7706 V1.00(ABBC.12)C0 in Dec 2021
Home router
NBG6515 V1.00(AAXS.8)C0 in Dec 2021
NBG6604 V1.00(ABIR.6)C0 in Dec 2021
NBG6615 V1.00(ABMV.5)C0 in Dec 2021
NBG6817 V1.00(ABCS.11)C0 in Sep 2021
NBG6818 V1.00(ABSC.5)C0 in Sep 2021
NBG7815 V1.00(ABSK.6)C0 in Sep 2021
WSQ50 V2.20(ABKJ.5)C0 in Mar 2021
WSQ60 V2.20(ABND.6)C0 in Sep 2021
WSR30 V1.00(ABMY.12)C0 in Sep 2021
AP
Unified Pro series V6.20 in Mar 2021
Unified series V6.20 in Mar 2021
Standalone series V6.20 in Mar 2021
Cloud-managed series V6.20 in Mar 2021
Firewall
VPN2S Hotfix available upon request*

*Please reach out to your local Zyxel support team for the file.

Got a question or a tipoff?

Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact security@zyxel.com.tw and we’ll get right back to you.


Acknowledgment

Thanks to CERT/CC for reporting the issue to us.


Revision history

2021-1-21: Initial release
2021-2-1: Updated the WSQ50 firmware schedule and removed NBG418v2 as it’s not affected
2021-2-24: Updated the patch plan for LTE models